Combating the Insider Threat

Knowing when, where and how to react when there is an insider risk is critical

One of the most significant, and in many cases least considered organizational risks, involves the insider. Although CERT’s definition of insider threat (see box) focuses on the malicious insider, it
clearly states that insider threats can be unintentional and non-malicious.

It many cases, the topic of the insider threat is taboo within the organization. Leaders will say, “We hire good people,” or “We perform background checks.” While those statements may be true, they represent a point in time and clearly don’t address the general insider threat problem.

The initial confusion stems from the differences between insider threat and the malicious insider, where the latter focuses on the insider’s malicious intent and the former focuses on the threat regardless of intent. Every organization needs to consider and manage the insider threat, regardless of intent.

To understand the types of malicious insider threat, we can use the simple acronym C-R-I-M-E, ironically presented to me by an FBI special agent. CRIME describes the drivers behind the malicious insider:

Compromise (or Coercion) – The insider has been compromised or coerced by an external entity that typically leverages blackmail, public embarrassment or intimidation

Revenge – The insider is disgruntled against their employer, supervisor or colleague for a perceived wrong

Ideology – The insider disagrees with the organization’s mission, policies or strategy

Money – The insider financially benefits, either through the malicious act itself or through some external entity funding their efforts

Ego – The insider views his/her abilities to be superior or his/her actions above the law

Compare the drivers behind the malicious insider to insider threats introduced through negligence, carelessness or lack of training. While the individual intent may be vastly different, the impact to the organization may be equally severe.

Organizations need to consider a proactive approach to the insider threat problem. Incorporating insider threat risk analysis into current risk management programs is essential, and considering insider threat as part of a comprehensive vulnerability assessment will certainly help as well.

We’re seeing maturity in identity access tools that can appropriately manage elevated privileged access (another critical insider problem), and can align insider actions and behaviors with SOC operations to react to anomalies. We’re also seeing emerging analytic tools that can detect anomalous user or application behaviors, which may be caused by insiders. However, many of these tools are reactive — they expose an insider threat problem when or after it has occurred.

Interestingly, there are some emerging technologies that try to get “in front” of insider threats. One innovative solution is called SCOUT, a patented application developed by Stroz Friedberg that scores insider communications (think email, chat, social media, etc.) across dozens of personality attributes and creates individual risk profiles.

SCOUT uses sophisticated psycholinguistic algorithms to create risk scores for individual users across the enterprise. The research that led to the development of the algorithms was initially conducted by the US government to profile world leaders, and later matured by a clinical psychologist working with Stroz Friedberg, leading to SCOUT. It identifies high-risk insiders based on their communications, while protecting individual privacy, relying on an extremely low rate of human review (less than .0001 percent, less than 1 in a million).

Regardless of the technology, it’s imperative that organizations find the right balance between organizational security and privacy concerns. Knowing when, where and how to react when they believe there is a significant insider risk is critical. Organizations need to continue to bring awareness to the insider threat problem, and mature their processes and tools to adequately manage insider threats.

Mike joined World Wide Technology in September 2010 after 25 years of government service at the National Security Agency. As the Vice President of Security Solutions, Mike leads a team of senior security experts and former CISO’s that work across our commercial and Federal sales, engineering, and professional services organizations to provide value to our customers.

Organizations understand that providing users with secure access can be challenging and strenuous. Identity and Access Management (IAM) is an enterprise program that focuses on ensuring that authorized people and devices have the appropriate access at the right time.

WWT's Security Operations Center (SOC) Assessment will assess each of the foundation-level elements of people, process, and technology to identify your organization’s overall strengths and weaknesses, current maturity ratings, and provide recommendations for improvement.

WWT’s comprehensive security assessments allow organizations to gain a comprehensive understanding of their security program maturity and walk away with prescriptive recommendations to mitigate identified risks or control gaps.